Fix TLS 1.3 session resumption detection.

Now we detect TLS 1.3 session resumption by looking if both sides have the PSK extension set, which is much more exact than the previous approach.
2025-10-02 06:38:20 +00:00 · 2020-12-15 16:28:14 +00:00 · 2020-12-15 16:28:14 +00:00 · 3c95c9a956
commit 3c95c9a956
parent 84315b54c3
8 changed files with 256 additions and 197 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -46,6 +46,10 @@ export {
 		## by the client. This value is used to determine if a session
 		## is being resumed. It's not logged.
 		client_key_exchange_seen: bool     &default=F;
+		## Track if the client sent a pre-shared-key extension.
+		## Used to determine if a TLS 1.3 session is being resumed.
+		## Not logged.
+		client_psk_seen: bool     &default=F;

 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
@ -231,7 +235,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		}
 	c$ssl$cipher = cipher_desc[cipher];

-	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
+	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
 	}

@ -299,10 +303,16 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &pri
 	{
 	set_session(c);

-	if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 )
+	if ( is_orig && code == 35 && |val| > 0 ) # 35 == SessionTicket TLS
 		# In this case, we might have an empty ID. Set back to F in client_hello event
 		# if it is not empty after all.
 		c$ssl$client_ticket_empty_session_seen = T;
+	else if ( is_orig && code == 41 ) # 41 == pre_shared_key
+		# In this case, the client sent a PSK extension which can be used for resumption
+		c$ssl$client_psk_seen = T;
+	else if ( ! is_orig && code == 41 && c$ssl$client_psk_seen )
+		# In this case, the server accepted the PSK offered by the client.
+		c$ssl$resumed = T;
 	}

 event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -559,7 +559,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ## length: length of the entire message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_alert ssl_heartbeat
+##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
 event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);

 ## This event is generated for application data records of TLS 1.3 connections of which
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@ -1,4 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 unknown-27242
 x25519
@ -7,6 +8,7 @@ key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p
 unknown-19018
 x25519
 client, TLSv10, TLSv12
+tls13draft16-chrome55.0.2879.0-canary.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-43690
 x25519
@ -14,6 +16,13 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-60138
 x25519
@ -21,17 +30,30 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+tls13draft16-ff52.a01-aborted.pcap
 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
 client, TLSv10, TLSv12
 client, TLSv10, TLSv12
+tls13draft16-ff52.a01.pcap
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@ -40,6 +62,12 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@ -48,13 +76,23 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+tls13_psk_succesfull.pcap
 key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
 x25519
 client, TLSv10, TLSv12
@ -69,16 +107,21 @@ encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
+hrr.pcap
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
 secp224r1
 client, TLSv10, TLSv12
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
 secp256r1
 server, TLSv12, TLSv12
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
+secp256r1
+client, TLSv12, TLSv12
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
+secp256r1
+server, TLSv12, TLSv12
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@ -18,7 +18,7 @@ XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53227	52.32.149.186	443	-	-	-
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	F	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53996	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv1
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@ -1,13 +1,19 @@
+# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-ff52.a01-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-ff52.a01.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13_psk_succesfull.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "hrr.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: btest-diff ssl-out.log